The hackers, said to be the same group that breached the Democratic National Committee (DNC) in 2016, currently have the power to simultaneously kill the devices and take down the internet for vast numbers of people as a result, the researchers warned. The FBI announced late Wednesday it was dismantling the botnet.

The hackers have installed a malware known as VPNFilter on all those routers from a range of vendors, including Linksys, MikroTik, Netgear and TP-Link, which had publicly-known vulnerabilities. Victims were spread across a total of 54 countries, but most of the targets were based in Ukraine, where devices were being hacked at an "alarming rate," Cisco Talos wrote in its report. VPNFilter also had code similarities with another Russia-linked spy tool, BlackEnergy, which was previously used to attack Ukraine power providers.

The attacks go back to at least 2016 but, as in the DHS and the U.K.'s National Cyber Security Centre (NCSC) warning in April, it appears the attackers are planning something significant further along the line. (The NCSC told Forbes it couldn't confirm if there was overlap across its research into Russian activity and Cisco's findings.)

It's possible the infiltrators want to take a large number of users offline using a kind of kill switch. “The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” Cisco's researchers wrote.

Outside of the possibility it will be used in a widespread destructive attack, the malware can also snoop on traffic that passes through the infected router to steal data such as website login details. Going deeper, VPNFilter also monitors software used in critical infrastructure environments. And the attackers have set up their own encrypted communications using the Tor Network.

Martin Lee, technical lead for security research at Cisco Talos, wouldn't attribute the attacks to a specific country, but did link them to the hacker crew known as APT28, which the U.S. has linked to Russia and blamed for the DNC hack of 2016, leading up to that year’s election.

Lee was particularly concerned about the potential for attacks on critical infrastructure too. “What is also worrying is that this malware has a module which targets MODBUS, a protocol used to operate industrial control systems which may be found in power stations or railway track point controls,” he told Forbes.

"There are also similarities between this malware and the BlackEnergy attacks that previously affected electricity supply in Ukraine ... it is vital that organisations which protect industrial systems such as the water and electricity supply take the necessary steps to protect against attacks such as these.”

Imminent attack possible

Cisco said it was issuing a warning as it was concerned an attack on Ukraine was imminent. The company’s researchers saw a sudden uptick in VPNFilter infections in the country starting May 8. According to Reuters, Ukraine's SBU state security service believes Russia is planning an attack ahead of the Champions League final in Kiev, taking place this weekend.

They don’t believe that the devices are going to be cleaned any time soon. “Defending against this threat is extremely difficult due to the nature of the affected devices,” the report continued. “The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.”

The news comes at a time of great fear about Russia’s online espionage capabilities. This April, in his first speech as GCHQ director, Jeremy Fleming called out “unacceptable” online behavior from the Kremlin.

Russia, meanwhile, has openly lambasted claims about its activity online, strongly denying the allegations made by the U.S. and U.K. authorities in April.

An NCSC spokesperson said of the Cisco findings: “This research is a timely reminder for organisations and home users to get the basics right to help protect their systems against cyber threats.

“We actively encourage everyone to follow their manufacturer's advice and ensure they are installing patches and using up-to-date antivirus software.”

Cisco and the FBI recommended anyone who believes they may be infected to reboot their devices as soon as possible.

FBI moves

The FBI said it had gained access to control mechanisms of the botnet of 500,000 routers. It also pinned the attacks on APT28.

“Today's announcement highlights the FBI's ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said FBI assistant director Scott Smith.

“By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI's work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”